Skip to main content

OpenClaw CVE-2026-43531

| EUVDEUVD-2026-27273 HIGH
External Control of System or Configuration Setting (CWE-15)
2026-05-05 VulnCheck
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 05, 2026 - 12:49 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 05, 2026 - 12:37 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 12:37 NVD
7.3 (HIGH) 7.0 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 12:19 vuln.today
Analysis Generated
May 05, 2026 - 12:19 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.9.

DescriptionCVE.org

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior.

AnalysisAI

Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.

Technical ContextAI

This vulnerability (CWE-15: External Control of System or Configuration Setting) affects the dotenv configuration loading mechanism in OpenClaw, an npm package for AI-assisted development workflows. The affected product (cpe:2.3:a:openclaw:openclaw) loads workspace-local .env files to set environment variables but failed to filter runtime-control variables before version 2026.4.9. The commit dbfcef319618158fa40b31cdac386ea34c392c0c introduces a comprehensive blocklist of 37 sensitive variable names and six prefix families (OPENCLAW_UPDATE_*, OPENCLAW_SKIP_*, OPENCLAW_DISABLE_*, OPENCLAW_CLAWHUB_*, CLAWHUB_*, ANTHROPIC_API_KEY_*) to prevent workspace .env files from hijacking application runtime behavior. The fix preserves user-defined environment variables (like GITHUB_TOKEN, DATABASE_URL_CUSTOM) while blocking variables controlling update mechanisms (OPENCLAW_UPDATE_PACKAGE_SPEC), network routing (OPENCLAW_GATEWAY_URL, CLAWHUB_URL), authentication tokens (CLAWHUB_TOKEN, CLAWHUB_AUTH_TOKEN), binary execution paths (BROWSER_EXECUTABLE_PATH, PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH), plugin catalog sources (OPENCLAW_PLUGIN_CATALOG_PATHS), and diagnostic controls (OPENCLAW_SHOW_SECRETS). The vulnerability exists because workspace .env files, intended for project-specific configuration, could override system-level security controls designed to protect the OpenClaw runtime environment.

RemediationAI

Upgrade the OpenClaw npm package to version 2026.4.9 or later, with 2026.4.14 recommended as the current stable release incorporating the fix. Execute 'npm update openclaw' or modify package.json to specify '"openclaw": "^2026.4.9"' and run 'npm install'. The fix is implemented in commit dbfcef319618158fa40b31cdac386ea34c392c0c and merged via pull request #62660, both linked in the GitHub advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc. The patch introduces a blocklist of 37 runtime-control variables and six prefix families to prevent workspace .env files from injecting sensitive configuration. If immediate upgrade is not feasible, implement compensating controls: (1) Restrict workspace .env file permissions to read-only for the OpenClaw process user to prevent runtime modification, though this does not block load-time injection; (2) Conduct manual code review of all .env files in cloned repositories before opening workspaces, searching for blocked variable names listed in the advisory (OPENCLAW_UPDATE_PACKAGE_SPEC, OPENCLAW_GATEWAY_URL, BROWSER_EXECUTABLE_PATH, CLAWHUB_TOKEN, etc.) - this is labor-intensive and error-prone; (3) Run OpenClaw in a sandboxed environment (container, VM) with network egress filtering to prevent gateway redirection and update source compromise, accepting the operational overhead of managing isolated development environments. These workarounds introduce significant friction to developer workflows and do not fully mitigate the vulnerability; upgrading to the patched version remains the only complete remediation.

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-43531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy